This threat searches for and encrypts files with the following filename extensions:

.123

.jpeg

.rb

.602

.jpg

.rtf

.doc

.js

.sch

.3dm

.jsp

.sh

.3ds

.key

.sldm

.3g2

.lay

.sldm

.3gp

.lay6

.sldx

.7z

.ldf

.slk

.accdb

.m3u

.sln

.aes

.m4u

.snt

.ai

.max

.sql

.ARC

.mdb

.sqlite3

.asc

.mdf

.sqlitedb

.asf

.mid

.stc

.asm

.mkv

.std

.asp

.mml

.sti

.avi

.mov

.stw

.backup

.mp3

.suo

.bak

.mp4

.svg

.bat

.mpeg

.swf

.bmp

.mpg

.sxc

.brd

.msg

.sxd

.bz2

.myd

.sxi

.c

.myi

.sxm

.cgm

.nef

.sxw

.class

.odb

.tar

.cmd

.odg

.tbk

.cpp

.odp

.tgz

.crt

.ods

.tif

.cs

.odt

.tiff

.csr

.onetoc2

.txt

.csv

.ost

.uop

.db

.otg

.uot

.dbf

.otp

.vb

.dch

.ots

.vbs

.der"

.ott

.vcd

.dif

.p12

.vdi

.dip

.PAQ

.vmdk

.djvu

.pas

.vmx

.docb

.pdf

.vob

.docm

.pem

.vsd

.docx

.pfx

.vsdx

.dot

.php

.wav

.dotm

.pl

.wb2

.dotx

.png

.wk1

.dwg

.pot

.wks

.edb

.potm

.wma

.eml

.potx

.wmv

.fla

.ppam

.xlc

.flv

.pps

.xlm

.frm

.ppsm

.xls

.gif

.ppsx

.xlsb

.gpg

.ppt

.xlsm

.gz

.pptm

.xlsx

.h

.pptx

.xlt

.hwp

.ps1

.xltm

.ibd

.psd

.xltx

.iso

.pst

.xlw

.jar

.rar

.zip

.java

.raw

The ransomware may create the following files:

r.wnry

s.wnry

t.wnry

taskdl.exe

taskse.exe

00000000.eky

00000000.res

00000000.pky

@WanaDecryptor@.exe

@Please_Read_Me@.txt

m.vbs

@WanaDecryptor@.exe.lnk

It appends .WNCRY to the filename of encrypted files. For example:

file.docx is renamed to file.docx.WNCRY

file.pdf is renamed to file.pdf.WNCRY

SHA1s used in this analysis:

51e4307093f8ca8854359c0ac882ddca427a813c

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

bd44d0ab543bf814d93b719c24e90d8dd7111234

87420a2791d18dad3f18be436045280a4cc16fc4

e889544aff85ffaf8b0d0da705105dee7c97fe26

Analysis by: Andrea Lelli

Solution :

Adrien Guinet of QuarksLab in Paris released a potential fix in Github, which relies on snagging private key traces from the infected computer's memory to decrypt the files. But there is a caveat: the potential fix may fail if the malware, or other processes, overwrote the decryption key traces, or if the user rebooted the computer after the infection.https://github.com/aguinet/wannakey